Silva Security Alert 2005.02.02

Publication date:5.February.2005, 06:56

2 february 2005 – Infrae has discovered a severe security bug in Silva, which potentially allows untrusted users to alter live images and files (all listed versions), as well as alter the draft state of Silva Documents (in versions 0.9.3 and above). If your organisation is running Silva we strongly recommend an upgrade as soon as possible.

The problem has been found in all Silva versions currently in use. We’ve fixed it in our version control repository for the following major versions:

Silva 1.2 (under development)

Silva 1.1

Silva 1.0

Silva 0.9.3

Silva 0.9.2

Silva 0.9.1

The recommended way to fix this problem is to upgrade to a new bugfix
releases for the major version of Silva that you are running. We have
made bugfix releases of the affected Zope products available.

For versions of Silva 0.9.1 and 0.9.2, only an upgrade of the Silva
product itself is necessary. For versions of Silva 0.9.3 and up, an
upgrade of both the Silva and SilvaDocument products is needed. Only these products need upgrading.

If you have any questions or special requirements concerning your
upgrade, please contact Infrae.

0.9.1

0.9.2

0.9.3

1.0

Silva-1.0.3.tgz

SilvaDocument-1.0.3.tgz

1.1

Silva-1.1.2.tgz

SilvaDocument-1.1.2.tgz

The beta version of Silva 1.2, already released, also contains the fixes.

Quick installation instructions

To install this bugfix release, first remove the old Silva Product,
unpack the .tgz file for your current Silva version in the Zope Products
directory and restart Zope. If you're running 0.9.3, 1.0 or 1.1, you
should also replace the SilvaDocument product with the updated version.